HHS Cybersecurity Guidance - You Still Have Work to Do
The U.S. Department of Health and Human Services Office for Civil Rights ("HHS") recently issued a quick response checklist to outline steps a HIPAA covered entity or business associate should take in response to a cyber-related security incident. The HHS checklist offers general, step-by-step guidance for healthcare providers in the event of a security incident that includes: (1) immediately executing response procedures and contingency plans to fix technical problems to stop a security incident; (2) reporting a security incident to appropriate law enforcement agencies; (3) reporting all cyber threat indicators to federal and information-sharing analysis organizations; and (4) reporting a breach to the HHS as soon as possible (but no later than 60 days after the discovery of a breach affecting 500 or more individuals).
While the HHS checklist is certainly a practical resource for healthcare providers, it does not (and absolutely should not) alleviate a healthcare provider's responsibility to create, implement, and continuously test/update an incident response plan ("IRP") tailored to that provider's circumstances and vulnerabilities. Relying solely on the HHS checklist without an IRP will surely result in panic-based reactions with no structure to guide next steps when a cyber-related security incident inevitably occurs. Further, because of the strict requirements contained in the HIPAA Security Rule – including a duty to identify and respond to security incidents, mitigate harmful effects, and document security incidents and outcomes – a healthcare provider must be particularly vigilant in being cyber-prepared.
Effective and adequate cybersecurity requires early preparation to ensure an appropriate and effective response later. The HHS checklist, though helpful, should be viewed merely as one of a multitude of best practice guides issued by federal agencies for health care providers and other businesses in developing and implementing cybersecurity measures. For more information about how to best respond to a cyber-related security incident and protect your business against a cyber-attack, see the Department of Justice's Incident Response Procedure Instructions or the Federal Trade Commission's Data Breach Response Guide. Please contact Jonathan Klein at (215) 640-8535 | email@example.com or another member of Clark Hill's Cybersecurity team if you have any questions.
FAQs: Mandatory COVID-19 Vaccines and the Automotive & Manufacturing Industries
Join us for a presentation where we will share the considerations, implications, and answer your frequently asked questions surrounding the implementation of mandatory COVID-19 vaccines.
Tea & Tidbits: Benefits Strategies for Small Employers
June’s discussion will center around benefit strategies for start-ups or employers who are small and aren’t sure if they can offer benefits at all.
Religious Accommodations: What Every Employer Needs To Know
This webinar will discuss the practical and legal issues relating to religious accommodations. This includes determining whether an employee has a sincerely held religious belief, what information you can request in connection with a request for a religious accommodation, and whether a request for an accommodation is reasonable.